Transcription

3 Table of contents Table of Contents CHAPTER 1. Introduction Key elements of audit and control The control pyramid Types of audit Audit roles Internal control models Research objectives and methodology Research questions of the international study CHAPTER 2. The control pyramid in Australia External audit Legal authority and mandate Audit roles Organizational structure Cooperation with other audit forms Internal audit Legal authority and mandate Audit roles Organizational structure Cooperation with other audit forms Internal control Legal authority and mandate Role of the internal control Organization Audit committee Legal authority and mandate Audit committee s role Organization Defence Inspector General CHAPTER 3. The control pyramid in Canada External audit: Office of the Auditor General of Canada Legal authority and mandate Audit roles Organizational structure Cooperation with other audit forms Internal audit Legal authority and mandate Audit roles Organizational structure Cooperation with other audit forms Internal control Legal authority and mandate Role of the internal control Organization Audit committee Legal authority and mandate Audit committee s role Organization CHAPTER 4. The control pyramid in the Netherlands External audit Legal authority and mandate Audit roles Organizational structure Cooperation with other audit forms Internal audit Legal authority and mandate Audit roles Organizational structure

4 The modernization of the public control pyramid: international trends Cooperation with other audit forms Internal control Legal authority and mandate Role of the internal control Organization Audit committee Legal authority and mandate Audit committee s role Organization The Inspectorate of the Budget CHAPTER 5. The control pyramid in Sweden External audit Legal authority and mandate Audit roles Organizational structure Cooperation with other audit forms Internal audit Legal authority and mandate Audit roles Organizational structure Cooperation with other audit forms Internal control Legal authority and mandate Role of the internal control Organization Audit committee The Swedish National Financial Management Authority (ESV) The Swedish Agency for Public Management (Statskontoret) CHAPTER 6. The control pyramid in the United Kingdom External audit: National Audit Office Legal authority and mandate Audit roles Organizational structure Cooperation with other audit forms Internal audit Legal authority and mandate Audit roles Organizational structure Cooperation with other audit forms Internal control Legal authority and mandate Role of the internal control Organization Audit committee Audit committee s role Organization CHAPTER 7. The control pyramid in the United States External audit: Government Accountability Office Legal authority and mandate Audit roles Organizational structure Cooperation with other audit forms Internal audit: Offices of Inspector General Legal authority and mandate Audit roles Organizational structure Cooperation with other audit forms Internal control Legal authority and mandate Role of the internal control

7 List of figures List of figures Figure 1.1 The three-level control pyramid Figure 1.2 Different auditor roles Figure 1.3 Internal Control Integrated Framework Figure 1.4 Entreprise Risk Management Figure 2.1 The audit process of the Australian National Audit Office Figure 2.2 Number of performance reports of the Australian National Audit Office Figure 2.3 Number of financial statement audit reports of the Australian National Audit Office Figure 2.4 Number of Better Practice Guides produced by the Australian National Audit Office Figure 2.5 Organization chart of the Australian National Audit Office Figure 2.6 The control structure in Australia Figure 3.1 Actors in the control pyramid in the federal government of Canada Figure 3.2 Organization chart of the Office of the Auditor General of Canada Figure 3.3 Implementation of the integrated risk management framework Figure 3.4 Common Risk Management Process Figure 4.1 Organization chart of the Dutch Supreme Audit Institution Figure 4.2 The position of the Management Control System Figure 5.1 Riksrevisionen organizational chart Figure 6.1 The control pyramid in the UK central government Figure 6.2 Organization chart of the National Audit Office Figure 6.3 Risk Management Assessment Framework Figure 7.1 Actors in the control pyramid in the United States federal government Figure 7.2 Organization chart of the Government Accountability Office Figure 7.3 Organization structure of the Offices of Inspector General

8

9 List of tables List of tables Table 1.1 The level of independence of Supreme Audit Institutions Table 1.2 Research questions of the international study on the control pyramid Table 2.1 Institutions audited by the Australian National Audit Office Table 2.2 Types of audit conducted by the Australian National Audit Office Table 2.3 Types of audits performed by internal auditors in the Australian Federal Government Table 2.4 Comparison of resource allocation between assurance activities Table 2.5 Participation in consulting activities Table 2.6 Internal control mandate in the Australian Federal Government Table 3.1 Institutions audited by the Office of the Auditor General of Canada Table 3.2 Types of audit performed by the Office of the Auditor General of Canada Table 3.3: Net operating audit costs of the Office of the Auditor General by type of audit Table 3.4 Mandate of internal audit units in the federal government of Canada Table 3.5 Time spent on different internal audit activities...54 Table 3.6: Internal control mandate in the federal government of Canada Table 4.1 Institutions audited by the Supreme Audit Institution of the Netherlands Table 4.2 Types of audit performed by the Supreme Audit Institution of the Netherlands Table 4.3 Publications of the Dutch Audit Court per objective*** in 2001, 2002 and Table 4.4 Mandate of internal audit units in the central government of the Netherlands Table 4.5 Internal control mandate in the central government of the Netherlands Table 5.1 Institutions audited by the Swedish Supreme Audit Institution Table 5.2 Types of audit performed by the Swedish Supreme Audit Institution Table 5.3 Internal audit mandate in the Swedish central government Table 5.4 Internal control mandate in the Swedish central government Table 6.1 Institutions audited by the National Audit Office Table 6.2 Types of audit performed by the National Audit Office Table 6.3 Percentage of net resources National Audit Office by objective Table 6.4 Evolution of direct staff costs and consultant costs of the National Audit Office Table 6.5 Number of full-time employees National Audit Office by objective for Table 6.6 National Audit Offices statement of resources by objective for the year ended 31 March Table 6.7: Types of audit performed by Internal Audit Units in UK central government departments.102 Table 6.8 Types of internal control in the UK central government Table 7.1 Institutions audited by the US Government Accountability Office Table 7.2 Types of audits performed by the US Government Accountability Office Table 7.3 Goals of the Government Accountability Office and associated net operating costs Table 7.4 Performance measures of the Government Accountability Office Table 7.5 Internal audit mandate of the Offices of Inspector General in the United States Table 7.6 Activities and performance of the Offices of Inspector General in FY Table 7.7 Internal control mandate in the United States federal government Table 8.1 Mandate of six Supreme Audit Institutions Table 8.4 Key features of six Supreme Audit Institutions Table 8.8 Key features of internal audit in six OECD countries Table 8.9 Legislation concerning internal control in six OECD countries Table 8.10 Key features of internal control in six OECD countries Table 8.11 Key features of audit committees in six OECD countries

10

11 Acknowledgements Acknowledgements In the context of this international study, we had the opportunity to interview several civil servants to talk about the reforms in their country. These meetings were very instructive in the sense that they provided us with very accurate information and helped us to see the reforms in a broader perspective. Hereby, we want to thank all the interviewees for sharing their views on the reform agenda and for giving us further insight in the features and challenges of the financial and management systems. We would like to thank Vital Put, auditor at the Belgian Supreme Audit Institution and PhD Student at the Public Management Institute, for his support and valuable comments in this international comparative study. Finally we would also like to thank the Flemish Government for giving us the opportunity to conduct this international comparative study. 11

12

13 Abstract Abstract As budgeting and accounting systems are becoming more results-oriented, there is also a need to modernize the audit and control systems in government. Results-oriented financial management reforms as accrual accounting and budgeting, performance budgeting and management accounting require an increased freedom to manage as a condition for success. This means that there is a need for new ways of audit and control. In traditional systems, there are multiple controls to check whether regulations were followed, often creating a heavy control burden, without a guarantee that the achievement of objectives is controlled. A modern view on audit and control stands for a clear division of labor between different control and audit actors so that they will not repeat each other s work, but build further on it. A modern audit and control system also looks beyond compliance with legislation and regulation towards controlling and auditing for results. Moreover, to give managers more freedom to manage, there is an evolution from ex ante controls to ex nunc and ex post controls. In this study we give an overview of the evolutions in the control pyramid in the central/federal governments of six OECD countries: Australia, Canada, the Netherlands, Sweden, the United Kingdom and the United States. We compare the key features of external audit, internal audit, internal control and audit committees. We also pay attention to the challenges that occur when modernizing audit and control systems. 13

14

15 Chapter 1: Introduction CHAPTER 1. Introduction 1. As budgeting and accounting systems are becoming more results-oriented, there is also a need to modernize the audit and control systems in government. Results-oriented financial management reforms as accrual accounting and budgeting, performance budgeting and management accounting require an increased freedom to manage as a condition for success. 2. This means that there is a need for new ways of audit and control. In traditional systems, there are multiple controls to check whether regulations were followed, often creating a heavy control burden, without a guarantee that the achievement of objectives is controlled. A modern view on audit and control stands for a clear division of labor between different control and audit actors so that they will not repeat each other s work, but build further on it. A modern audit and control system also looks beyond compliance with legislation and regulation towards controlling and auditing for results. Moreover, to give managers more freedom to manage, there is an evolution from ex ante controls to ex nunc and ex post controls. 3. In this chapter we will introduce the international comparative study on the modernization of the control pyramid. First, we give an overview of the key elements of audit and control. Second, we will explain the research objectives and the methodology of the study. Third, the set of research questions of the international comparison are summed up Key elements of audit and control 1. To start, we will provide an introduction to the key elements of audit and control. Which actors are involved in the control pyramid? What are the definitions of audit and control? What are the differences between internal and external auditing? In this context, we also describe the different types of audit and the different roles an auditor may play. We also give an overview of the major models for internal control developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) The control pyramid 1. What is the control pyramid looking like? This is illustrated in Figure 1.1. The control pyramid contains three major levels. At the basis of the pyramid, one may find the internal control system. At the second level, there is the internal audit system, which builds further on the internal control system. At the third level, there is the external auditor, which relies in his/her work on the achievements of the internal auditor. The different concepts of the control pyramid are explained in this section. Scrutiny External audit Internal audit Internal control Information Figure 1.1 The three-level control pyramid Definitions Audit 1. Audit is an expert examination of legal and financial compliance or performance, carried out to satisfy the requirements of management (internal audit), or an external audit entity or any other independent auditor, to meet statutory obligations (external audit). Audit is an objective assurance activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing systematic, disciplined approach to assess and improve the 15

16 The modernization of the public control pyramid: international trends effectiveness of risk management, control and governance (OECD, 2004). Internal audit 1. The Institute of Internal Auditors has defined internal auditing as an independent and objective assurance and consulting activity designed to add value and improve an organization s operations. Internal auditing helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes (Institute of Internal Auditors, 2002). 2. The International Organization of Supreme Audit Institutions, INTOSAI has described internal audit as the functional means by which the managers of an entity receive an assurance from internal sources that the processes for which they are accountable are operating in a manner which will minimize the probability of the occurrence of fraud, error or inefficient and uneconomic practices. Internal audit has many of the characteristics of external audit but may properly carry out the directions of the level of management to which it reports (INTOSAI Audit Standards Committee, 2001: 71). Internal control 1. According to INTOSAI, internal control is the whole system of financial and other controls, including the organizational structure, methods, procedures and internal audit, established by management within its corporate goals, to assist in conducting the business of the audited entity in a regular economic, efficient and effective manner; ensuring adherence to management policies; safeguarding assets and resources; securing the accuracy and completeness of accounting records; and producing timely and reliable financial and management information (INTOSAI Audit Standards Committee, 2001:71) Internal versus external auditing 1. Internal audit refers to an audit carried out by a department or unit within a ministry or another government organization, entrusted by its management with carrying out checks and assessing the systems and procedures in order to minimize the likelihood of errors, fraud and inefficient practices. They report directly to the senior management on weaknesses and recommend improvements. External audits on the other hand are conducted by independent organizations that report most often directly to parliament and are often referred to as supreme audit institutions. 2. The differences between internal and external audit relate to perspective, accountability, independence and emphasis (Buttery, Hurford and Simpson, 1993: 107). First of all, external audit has a wider perspective, which allows viewing the organization from a more detached stance. On the one hand, this adds to independence. On the other hand, the external auditor misses the view on the ins and outs of the organization. Internal auditors who have transferred to external audit often comment that, previously, they knew where the skeletons were, but did not have the power to act: now they have the power but do not know where to find the skeletons (Buttery, Hurford and Simpson, 1993: 107). 3. Second, external auditors have different accountability lines. Whereas, external auditors are in the majority of countries accountable to the legislative branch, the internal auditor reports to the management within the organization. 4. A third difference between internal and external auditors concerns the level of independence. The independence of the external auditor can be guaranteed in the way of appointment of the external auditor and the way in which resources are allocated. Table 1.1 gives an overview of the Supreme Audit Institutions with independence established in the constitution and Supreme Audit Institutions with independence established in law. 16

17 Chapter 1: Introduction Independence established in the constitution Independence established in law Belgium, Finland, France, Germany, Hungary, Australia, Austria, Canada, Czech Republic, Ireland, Japan, Kenya, Mexico, the Netherlands, Denmark, Finland, Iceland, Israel, Italy, Korea, Norway, Slovenia, South Africa, Spain, Sweden, New Zealand, Portugal, United Kingdom, United Turkey, States Table 1.1 The level of independence of Supreme Audit Institutions. 5. Fourth, the operational emphasis of internal and external audit differs. The internal auditor concentrates attention upon internal controls within the organization, with a view to ensuring the security of assets, the reliability of records, economy, efficiency and adherence to policy. Whilst the external auditor is interested in each of these areas, and indeed, devotes a good part of the audit to them, the auditor is also anxious to ensure that the organization acts only within its statutory powers and that the accounts of the organization present a fair picture of its activities (Buttery, Hurford and Simpson, 1993: 108) Types of audit 1. The scope of audits varies widely, as does the terminology in this area, and includes financial and performance audit (according to the auditing standards prepared by INTOSAI): 2. Financial audit consists of the following aspects: - attestation of financial accountability of accountable government entities/entities, involving examination and evaluation of financial records and expression of opinions of financial statement, - attestation of financial accountability of the government administration as a whole, - audit of financial systems and transactions including an evaluation of compliance with applicable statutes and regulations, and - audit of internal control and internal audit functions. 3. Performance audit contains the following elements: - audit of the economy of the administrative activities in accordance with sound administrative principles and practices and management policies, - audit of the efficiency of the utilization of human, financial and other resources, including examination of information systems, performance measures and monitoring arrangements and procedures followed by the audited organizations/entities for remedy identified deficiencies, and - audit of the effectiveness of the performance in relation to the achievement of the objectives of the audited government organizations/entity, and audit of the impact of activities compared with the intended impact. 3. The INTOSAI general auditing principles stipulate that Supreme Audit Institutions should work towards improving techniques for auditing the validity of performance measures. The expanding audit role of the auditors will require them to improve and develop new techniques and methodologies to assess whether reasonable and valid performance measures are used by the audited entity (INTOSAI Audit Standards Committee, 2001: 34) Audit roles 1. Auditors may perform different roles. Pollitt defined four possible roles, specific for performance auditors: the judge or magistrate role, the public accountant role, the researcher or scientist role and the management consultant role (Pollitt, Girre & Lonsdale, 1999: 210). This is illustrated in FFigure

18 Chapter 1: Introduction 2. Based on the distinction made by Pollitt we will describe in this report four audit roles that Supreme Audit Institutions may have: - an auditor role: financial audits, compliance audits and performance audits, - an advisor role: providing studies, prior reports and other information to decision-makers, - a research and development role: compiling, testing, and assessing opportunities to improve the efficiency and effectiveness of public administration and management, and - an exemplary role for professional management: a model for effective public management, by the early adoption of best management practices. professional base in law judge/magistrate giving judgements decisions researcher/ scientist creating new knowledge giving information professional base in economics and social sciences professional base in accountancy public accountant producing reports to enhance public accountability and transparency management consultant giving help and advice to public bodies suggesting improvements professional base in management studies and business economics F Figure 1.2 Different auditor roles Internal control models COSO I 1. The most important model of internal control is the COSO model developed by the Committee of Sponsoring Organizations of the Treadway Commission. This Committee published in 1994 the report Internal control: integrated framework that established a common definition of internal control and provided standards against which organizations can assess their control systems (Committee of Sponsoring Organizations of the Treadway Commission, 1994) 2. COSO defined internal control as a process effected by an entity s board of director s management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: - Effectiveness and efficiency of operations - Reliability of financial reporting - Compliance with applicable laws and regulations. 3. Internal control is a process. It is a means to an end, not an end in itself. Internal control is effected by people. It s not merely policy manuals and forms, but people at every level of an organization. Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity s management and board. Internal control is geared to the achievement of objectives in one or more separate but overlapping categories (Committee of Sponsoring Organizations of the Treadway Commission, 1994). 4. COSO states that internal control consists of five interrelated components, which are derived form the way management runs a business and are integrated with the management process. These five components are summed up and illustrated in Figure 1.3 (Committee of Sponsoring Organizations of the Treadway Commission, 1994): - control environment, - risk assessment, - control activities, - information and communication, and - monitoring. Figure 1.3 Internal Control Integrated Framework. 18

19 Chapter 1: Introduction 5. The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors (Committee of Sponsoring Organizations of the Treadway Commission, 1994). 6. Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, linked at different levels and internally consistent. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change (Committee of Sponsoring Organizations of the Treadway Commission, 1994). 7. Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties (Committee of Sponsoring Organizations of the Treadway Commission, 1994). 8. Pertinent information must be identified, captured and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. All personnel must receive a clear message from top management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There also needs to be effective communication with external parties, such as customers, suppliers, regulators and shareholders (Committee of Sponsoring Organizations of the Treadway Commission, 1994). 9. Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board (Committee of Sponsoring Organizations of the Treadway Commission, 1994) COSO II 1. The Committee of Sponsoring Organizations of the Treadway Commission developed the COSO II model as there was a need for a robust framework to effectively identify, assess and manage risk. It published in 2004, the report Enterprise Risk Management: Integrated Framework. The COSO I model keeps serving as the broadly accepted standard for internal control. However, the Enterprise Risk Management Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management (Committee of Sponsoring Organizations of the Treadway Commission, 2004). While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look at the enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process (Committee of Sponsoring Organizations of the Treadway Commission, 2004: v). 19

20 The modernization of the public control pyramid: international trends 2. Enterprise risk management is a process, ongoing and flowing through an entity. Enterprise risk management is effected by people at every level of an organization. Enterprise risk management is applied in strategy setting and is applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk. Enterprise risk management is designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite. Enterprise risk management is able to provide reasonable assurance to an entity s management and board of Directors. Enterprise risk management is geared to achievement of objectives in one or more separate but overlapping categories (Committee of Sponsoring Organizations of the Treadway Commission, 2004: 2). 3. Within the context of an entity s established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk management framework is geared to achieving an entity s objectives, set forth in four categories: - Strategic high-level goals, aligned with and supporting its mission - Operations effective and efficient use of its resources - Reporting reliability of reporting - Compliance compliance with applicable laws and regulations (Committee of Sponsoring Organizations of the Treadway Commission, 2004: 3). 4. Enterprise risk management consists of eight interrelated components: - internal environment, - objective setting, - event identification, - risk assessment, - risk response, - control activities, - information and communication, and - monitoring. These are derived from the way management runs an enterprise and are integrated with the management process This is illustrated in Figure 1.4. Figure 1.4 Entreprise Risk Management Integrated Framework (Committee of Sponsoring Organizations of the Treadway Commission, 2004: 5). 5. The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity s mission and are consistent with its risk appetite. Internal and external events affecting achievement of an entity s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management s strategy or objective-setting processes. Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entity s risk tolerances and risk appetite. Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. These are called control activities. Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both (Committee of Sponsoring Organizations of the Treadway Commission, 2004: 3-4). 20

21 Chapter 1: Introduction 1.2. Research objectives and methodology 1. With the modernization of budgeting and accounting systems, also on the audit side, there is a need to move to better performing systems. The objective of this report is to describe the international trends in the modernization of the control pyramid in the public sector. 2. The units of analysis of this study are the actors responsible for audit and control in the central or federal government: - the external auditor or Supreme Audit Institution, - the internal auditor, - the internal controller, and - the audit committee. 3. In this international study six OECD governments are compared: - the federal government of Australia, - the federal government of Canada, - the central government of the Netherlands, - the central government of Sweden, - the central government of the United Kingdom, and - the federal government of the United States. 4. These countries are selected as they were pioneers in the introduction of results-oriented techniques and instruments to modernize their financial systems. 5. We use a multiple case study approach combined with a rather standardized description and classifications as used in case surveys. The research is based on a qualitative analysis of secondary data (reports and evaluations about the budget reforms) as well as primary data (in-depth interviews with expert witnesses and civil servants involved). 21

22 The modernization of the public control pyramid: international trends 1.3. Research questions of the international study The following table gives an overview of the questions that are answered in this study. For each level in the control pyramid, we developed a set of topics and research questions, that are summed up in Table External audit 1.1. Legal authority and mandate Legal authority - Is the authority and independence of the Supreme Audit Institution derived form the Constitution? - From which legislation does the Supreme Audit Institution derive its authority and independence? Mandate - Which institutions are audited by the Supreme Audit Institution? o Central ministries / departments? o Other government agencies? o State corporations / autonomous agencies? o Other, at regional level? o Other, at local level? o Other? - Which types of audit are performed by the Supreme Audit Institution? - Is the Supreme Audit Institution mandated or authorized to perform a priori audits? - Is the Supreme Audit Institution mandated or authorized to perform financial audits o of individual entities? o of the government as a whole? - Is the Supreme Audit Institution mandated or authorized to perform legislative compliance audits? - Is the Supreme Audit Institution mandated or authorized to perform performance audits - Is the SAI Supreme Audit Institution mandated or authorized to perform other types of audits? 1.2. Audit roles Auditor role - Does the Supreme Audit Institution perform financial audits, compliance audits and performance audits? - What is the ratio of performance audit to financial audit? - What are the number of financial audit reports, performance audit reports and other reports per year? - Can the Supreme Audit Institution contract out to other entities? - What is the ratio of contracted out financial audits to all financial audits? - What is the policy concerning outsourcing? Advisory role - Does the Supreme Audit Institution play an advisory role? Research and development role - Does the Supreme Audit Institution play a research and development role? Model for effective public management 1.3. Organizational structure Name of the Supreme Audit Institution - Does the Supreme Audit Institution strive to be an example of good public management? - What is the name of the Supreme Audit Institution? Status - To which body is the Supreme Audit Institution primarily accountable? - Does the Supreme Audit Institutions have a jurisdictional status? Structure - How is the Supreme Audit Institution organized? (by audit types? by policy areas? a matrix?) Number and skills of members of staff - How many members of staff does the Supreme Audit Institution employ? - How had the number of staff evolved over time? - What are the main skills of the employees? Are they mainly accountants or does the Audit Institution has an interdisciplinary team? Funding - How is the budget appropriated? - Who approves the budget? - Can the Supreme Audit Institution charge fees for the delivery of products and services? External scrutiny - Who audits the accounts and / or performance of the external auditor? 1.4. Cooperation with other audit forms - Does the external auditor rely in its work on or cooperate with other actors? - What form does the cooperation takes? 2. Internal Audit 2.1. Legal authority and mandate Legal Authority - Are there laws or regulations, which define coherent principles, systems and functioning of internal audit? - Which organization defines the policy on internal audit? Is there a central office (in the ministry of finance, an independent government 22

23 Chapter 1: Introduction organization, other) for controlling and monitoring internal audit? Mandate - Which institutions are audited by internal audit? - Which types of audits are internal audits units mandated to conduct: - Reviews of management (internal) control arrangements? - Financial audits? - Legislative compliance / regularity audits? - Performance audits? - Other types of audits? 2.2. Audit roles - Which audit roles are played by the internal auditor? 2.3. Organizational structure - How are the internal audit units structured? Status - At what organizational level do internal audit entities exist? - Whole of government, - Ministry / department wide, - Program level, - Outcome level, - Not according to structure of executive branch Structure - How are the internal audit units structured? To whom are these units reporting? Number and skills of members of staff - What is the number of internal auditors in the central government? What are the main skills of internal auditors? Funding - How are resources allocated to internal audit units? - How are these units funded? - What is the internal audit budget in the central government? Scrutiny - Are internal audit procedures subject to effective process review by external auditors? 2.4. Cooperation with other audit forms - Does the internal audit cooperate with other actors (other government (internal) audit organizations, private sector audit firms, other)? - Are internal audit units expected to co-ordinate plans with those of the external auditor? - What form does the cooperation takes? 3. Internal control 3.1. Legal authority and mandate Legal authority - Are there laws or regulations, which define coherent principles, systems and functioning of internal controls? - Are government entities subject to a mandatory framework or model for their internal control? Mandate - Is internal control mandated or authorized to provide reasonable assurance regarding the achievement of objectives in the following categories: - Effectiveness and efficiency of operations? - Reliability of financial reporting? - Compliance with applicable laws and regulations? - Safeguarding of assets against unauthorized acquisition, use or disposition? - Others? 3.2. Role of the internal control - On which category does the internal control focuses? - How does one report on internal control? 3.3. Organization Status - What is the status of the internal controller? Internal control model - Which internal control model is used? Scrutiny - Does the internal audit scrutinize the internal control system? - Is the Supreme Audit Institution empowered to audit the management (internal) control systems? 4. Audit committee 4.1. Legal authority and mandate Legal authority - What is the legal authority of the audit committee? Mandate - What is the mandate of the audit committee? 4.2. Audit Committee s Role - What is the role of the audit committee? 4.3. Organization - How is the audit committee organized? Table 1.2 Research questions of the international study on the control pyramid. 23

24

25 Chapter 2: The control pyramid in Australia CHAPTER 2. The control pyramid in Australia 1. What is the control pyramid looking like in the Australian federal government? The external auditor is the Australian National Audit Office, which is lead by the Auditor General. Large departments and agencies usually have their own internal audit function. Internal audit units report to an audit committee. The internal control model used in the Australian federal government is based on the COSO-model External audit Legal authority and mandate Legal authority 1. The Auditor-General Act 1997 (AG Act 1997), which replaced the Audit Act 1901 that created the Office of the Auditor-General, was enacted on 1 January The Auditor-General Act 1997 provides a legislative framework for the Office of the Auditor-General and the Australian National Audit Office (ANAO). The Act establishes the Auditor-General as an independent officer of the Parliament. The Act also outlines the mandate and powers of the Auditor-General, as the external auditor of Commonwealth public sector entities Mandate 1. The Audit Office built on its initial role of verifying the public accounts and extended its mandate gradually improving the ways governments are held to account. The Auditor-General has a broad mandate to audit the financial statements of all Commonwealth entities, their audit clients, and subject to some qualifications to undertake performance audits on those same entities. The audit clients of Australian National Audit Office include some 300 government bodies. 2. The mandate of the Auditor-General, which is described in the Auditor General Act 1997, extends to all Commonwealth agencies, authorities, companies and subsidiaries with the exception of performance audits of Government Business Enterprises which may be undertaken at the request of the responsible Minister, the Finance Minister or the Joint Committee of Public Accounts and Audit (JCPAA). The term agency comprises departments of state, departments of parliament and prescribed agencies (the Office of Legislative Drafting, Attorney-General's Department, 1998c pp.2). A Commonwealth authority is a body corporate that holds money on its own account and has been created by the Parliament to perform specific functions. A Commonwealth company means a Corporations Law company in which the Commonwealth has a controlling interest (the Office of Legislative Drafting, Attorney-General's Department, 1998b pp.37). Government Business Enterprise means a Commonwealth authority or Commonwealth company that is prescribed by the regulations for the purpose of this definition. What institutions? 1. Table 2.1 gives an overview of the organisational scope of the mandate of the Australian National Audit Office. 25

26 The modernization of the public control pyramid: international trends Institutions Yes No Central ministries and/or departments Other government agencies State corporations / autonomous agencies Other, at regional level (province, state or district) The Auditor-General may accept appointment under the Corporations Law of a State or Territory Other, at local (municipal, urban) level Other The Auditor-General may enter into an arrangement with any person or body Table 2.1 Institutions audited by the Australian National Audit Office. Types of audit? 1. Table 2.2 gives an overview of the types of audit that the Australian National Audit Office performs within its mandate. The SAI is mandated or authorized to perform: Activity Yes No A priori audits Financial audits - of individual entities - of the government as a whole Legislative compliance / regularity audits Performance audits Others The Auditor-General may provide advice or information Table 2.2 Types of audit conducted by the Australian National Audit Office. 26

27 Chapter 2: The control pyramid in Australia Audit roles Auditor role 1. The ANAO produces an integrated range of audit reports. Their main products are financial statements and performance audits, audits of financial control and administration, assurance control and assessment audits and protective security audits. This is illustrated in Figure Commencing from the financial year, the financial control and administration audit reports, and the assurance and control assessment audit reports have been replaced by new Business Support Process Audit Reports (BSPAs). Business Support Process Audit Reports examine business processes that support the delivery of outputs provided by public sector agencies. The focus of Business Support Process Audit Reports is essentially the efficiency and effectiveness of the accountability, control and compliance mechanisms operating within public sector entities. Nine BSP audit reports were tabled during (Australian National Audit Office, 2003a pp.52). The cost of BSP audit reports output for was $2.22 million. Figure 2.1 The audit process of the Australian National Audit Office (Australian National Audit Office, 2001 pp.8). 3. The performance audits and related products have become the most prominent of the services of the Australian National Audit Office in recent years. About 60% of the personnel and one third of the financial resources are now used for performance audits 1. During the fiscal year , the Australian National Audit Office produced 47 performance audit reports. Figure 2.2 shows the evolution in the number of performance audit reports over the past eight years (Australian National Audit Office, 2003a pp.28). The performance audit reports output consumed $ million in resources in ($ million in ). Overall, the Performance Audit Services Group charged hours in Based on interviews with senior officials of ANAO during a research visit to Australia in August

28 The modernization of the public control pyramid: international trends Figure 2.2 Number of performance reports of the Australian National Audit Office. 4. The Australian National Audit Office issued 257 audit opinions for the audit cycle ended October The decrease in the number of financial audit opinions (see Figure 2.3) is explained by the reduction in the number of Australian Government reporting entities due to the sale or wind up of a number of companies / corporations. Financial statement audits for the financial year required approximately hours and consumed $ million ( hours and $ million respectively in ) of resources (Australian National Audit Office, 2003a pp.50).. Figure 2.3 Number of financial statement audit reports of the Australian National Audit Office. 5. Protective security audits are across-the-board studies that examine particular aspects of security, including information security, personnel security and physical security (Australian National Audit Office, 2003a pp.55). One protective security audit report was produced in at a cost of $0.137 million ($0.214 million in ). 6. Section 27 of the Auditor General Act 1997 states that the Auditor-General, on behalf of the Commonwealth, may engage any person under contract to assist in the performance of any Auditor- General function (the Office of Legislative Drafting, Attorney-General's Department, 1998a pp.17). 7. The Australian National Audit Office makes extensive use of the private sector in the delivery of its audit services where it is cost-effective to do so, with approximately 30 per cent of financial statement audits being outsourced for the financial year (Australian National Audit Office, 2002a pp.63). 8. From time to time, the Australian National Audit Office will put out tender requests for the audit of financial statements of various government entities. Open tender processes are conducted that seek high quality services that provide value for money for the Australian Government. Using an initial tender process the Australian National Audit Office has selected and maintained a panel of 28

Internal Control - Integrated Framework Executive Summary Senior executives have long sought ways to better control the enterprises they run. Internal controls are put in place to keep the company on course

COMPTROLLER OF ACCOUNTS Ministry of Finance Government of the Republic of Trinidad Tobago Internal Audit Manual Prepared by the Financial Management Branch, Treasury Division, Ministry of Finance TABLE

What Is the Total Public Spending on Education? Indicator On average, OECD countries devote 12.9% of total public expenditure to, but values for individual countries range from less than 10% in the Czech

Government at a Glance 2015 Size of public procurement Strategic public procurement E-procurement Central purchasing bodies 135 Size of public procurement Public procurement refers to the purchase by governments

Gini Coefficient The Gini Coefficient is a measure of income inequality which is based on data relating to household s disposable income. A Gini Coefficient of zero indicates perfect income equality, whereas

GUIDELINES ON INTERNAL CONTROL FOR LICENSED FINANCIAL INSTITUTIONS Section 1.0 Introduction The guidelines set below form a minimum standard for internal audit unit/ section/ department of all operating

Indicator What Proportion of National Wealth Is Spent on Education? In 2008, OECD countries spent 6.1% of their collective GDP on al institutions and this proportion exceeds 7.0% in Chile, Denmark, Iceland,

OECD Countries Local Government Fiscal Context [DRAFT 1-29-133-31-14] Hal Wolman and Diana Hincapie, George Washington Institute of Public Policy Below we present a contextual overview of local government

Early Childhood Education and Care Participation in education by three- and four-year-olds tends now to be high, though coverage is a third or less of the age group in several OECD countries. Early childhood

Christopher G. Nickell and Charles Denyer Statement on Auditing Standard No. 70 (SAS 70) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants

COSO Internal Control Integrated Framework (2013) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control Integrated Framework (2013 Framework)

GAO United States General Accounting Office Internal Control November 1999 Standards for Internal Control in the Federal Government GAO/AIMD-00-21.3.1 Foreword Federal policymakers and program managers

How Much Time Do Teachers Spend Teaching? The number of teaching hours in public schools averages 779 hours per year in primary, 71 in lower secondary and 656 in upper secondary. The average teaching time

Indicator On What Resources and Services Is Education Funding Spent? In primary, secondary and post-secondary non-tertiary education combined, current accounts for an average of 92% of total spending in

This document was produced by UK NARIC for the National College for Teaching and Leadership (NCTL) 1. Introduction The current allocation of bursaries for postgraduate teacher training places in England

INTRODUCTION Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives

Overview of the OECD work on transfer pricing Written contribution to the Conference Alternative Methods of Taxation of Multinationals (13-14 June 2012, Helsinki, Finland) by Marlies de Ruiter, Head of

www.pwc.com/us/nes Evolution of Territorial Tax Systems in the OECD Evolution of Territorial Tax Systems in the OECD April 2, 203 Prepared for The Technology CEO Council Evolution of Territorial Tax Systems

TIMOSHIN Nikolay Viktorovich Justice, Supreme Court of the Russian Federation(RF) Chairman, Panel of Judges of the First Instance, Criminal Judicial Chamber of the Supreme Court of the Russian Federation

Audit of the Policy on Internal Control Implementation Natural Sciences and Engineering Research Council of Canada Social Sciences and Humanities Research Council of Canada February 18, 2013 1 TABLE OF

The International Standards of Supreme Audit Institutions, ISSAI, are issued by the International Organization of Supreme Audit Institutions, INTOSAI. For more information visit www.issai.org. Financial

International Standards for the Professional Practice of Internal Auditing Introduction Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve

This material is designed to assist you when discussing audit, assurance and related service offerings with your clients. This material contains a number of parts which explain, in simple language, what

Corporate Plan 2015-16 Statement of preparation I Nick Ryan, as the accountable authority of the Australian Aged Care Quality Agency present the 2015-16 Corporate Plan (the Plan), as required under paragraph

OECD - Paris, 8 April 2015 Development aid stable in 2014 but flows to poorest countries still falling Key aid totals in 2014 Detailed summary In 2014, net official development assistance (ODA) flows from

ISSAI 100 The International Standards of Supreme Audit Institutions, or ISSAIs, are issued by INTOSAI, the International Organisation of Supreme Audit Institutions. For more information visit www.issai.org

Legislative Audit: Serving the Public Interest February 2000 The CCOLA Study Group on Defining the Profession of Legislative Auditing prepared this paper for use by Legislative Auditors as they see fit.

Effective Internal Audit in the Financial Services Sector Recommendations from the Committee on Internal Audit Guidance for Financial Services: How They Relate to the Global Institute of Internal Auditors

TRANSFERRING INTERNAL CONTROL KNOWLEDGE FROM LEGISLATION TO SCHOOL MANAGEMENT: THE CASE OF SLOVENIA Tatjana Horvat International School for Social and Business Studies, Slovenia tatjana.horvat@mfdps.si

Appendix C National Subscription Television Regulations Australia At least 10% of annual programme expenditure on pay TV drama services must be on new eligible (Australian) Same requirements as cable television

Republic of Macedonia MINISTRY OF FINANCE Public Internal Financial Control Department Central Harmonisation Unit for Financial Management and Control MANUAL FOR FINANCIAL MANAGEMENT AND CONTROL Skopje,

Taxation of Foreign Income by the U.S. and Other Governments James R. Hines Jr. University of Michigan and UC-Berkeley February 2009 1 American Taxation of Foreign Income. The U.S. practice of taxing foreign

INTOSAI GOV 9150 The International Standards of Supreme Audit Institutions, ISSAIs, are issued by the International Organization of Supreme Audit Institutions, INTOSAI. For more information visit www.issai.org

I János Ivanyos József Roóz A new approach in the assessment of the internal control systems applied in the public sector 1 In our article, we will describe the new approach that supports the assessment

PRINCIPLES FOR EVALUATION OF DEVELOPMENT ASSISTANCE DEVELOPMENT ASSISTANCE COMMITTEE PARIS, 1991 DAC Principles for Evaluation of Development Assistance Development Assistance Committee Abstract: The following

PIPEDA and Online Backup White Paper The cloud computing era has seen a phenomenal growth of the data backup service industry. Backup service providers, by nature of their business, are compelled to collect

NATIONAL AUDIT OFFICE OF MALAWI AUDITING STANDARDS Foreword I am pleased to issue the Malawi National Audit Office Auditing Standards. The Auditing Standards have been developed under the auspices of the

Public Sector Pensions An Overview Hazel Bateman Centre for Pensions and Superannuation Australian School of Business, UNSW October 2011 Outline Background and stylised facts Public sector pensions across

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS) Introduction to the International Standards Internal auditing is conducted in diverse legal and cultural environments;

until further notice 1 (10) Applicable to investment firms GUIDELINE ON RISK MANAGEMENT AND INTERNAL CONTROL PRINCIPLES AS WELL AS INTERNAL AUDIT FUNCTION OF INVESTMENT FIRMS By virtue of section 4, point

The term control environment refers to an entity s corporate culture, showing how much the entity s leaders value ethical behavior and internal control. The key element in a favorable control environment

MERCER S COMPENSATION ANALYSIS AND REVIEW SYSTEM AN ONLINE TOOL DESIGNED TO TAKE THE WORK OUT OF YOUR COMPENSATION REVIEW PROCESS MERCER S COMPENSATION ANALYSIS AND REVIEW SYSTEM www.imercer.com/cars Mercer